Is Your Campus Network Exempt From CALEA?

In June, the U.S. Court of Appeals for the D.C. Circuit ruled that the Federal Communications Commission can require Internet service providers, including colleges and universities, to make network upgrades in keeping with federal surveillance requirements under the Communications Assistance for Law Enforcement Act. At the same time, the court reaffirmed CALEA provisions that specifically exempt private networks from wiretapping regulation by the FCC.

The American Council on Education has published a legal analysis to help institutions determine whether their broadband and Voice-over-Internet-Protocol (VoIP) networks are private networks and therefore exempt from CALEA. Among the considerations is an examination of whether the campus network is self-contained--that is, limited to campus constituencies such as students, faculty, and staff--or made available to the general public. If there is significant network access and/or usage by those outside of the campus community, the network would probably not be deemed private and would therefore be subject to CALEA. The way the campus network connects to the Internet is another key factor.

The legal analysis supports the higher education community's initial view that many, if not most college and university networks will be exempt from CALEA. Campus technology and legal departments, however, should work closely in developing your institution's approach.

In related news, the FCC published a final rule last month addressing the assistance capabilities required under CALEA for broadband Internet access providers and providers of interconnected VoIP. Published in the July 5, 2006, Federal Register, the rule sets forth implementation details regarding the application of CALEA to broadband networks. Institutions with networks that are not deemed private or that provide their own connection to the Internet will be required to submit a security plan 120 days after publication of a forthcoming Federal Register notice, expected soon. These plans must explain how the institution will handle employee supervision and control, as well as related matters. Updates of network equipment covered by CALEA must be completed by May 14, 2007.